This is our old Q&A Site. Please post any new questions and answers at


I am trying to build a capture filter on some traffic which contains VLAN tags. The frames happen to contain two VLAN tags. I don't really care what VLANs they are, as I am mainly interested in the destination IP and port number.

If I use this capture filter below, I dont see any traffic:

tshark -i eth1 vlan and host

However, if I change my filter to this:

tshark -i eth1 vlan && host

everything works fine. Does anyone know the difference between using "and" vs "&&"? Does it have anything to do with the multiple VLAN tags?


asked 21 May '12, 06:59

Gian%20Sartor's gravatar image

Gian Sartor
accept rate: 0%

edited 21 May '12, 15:00

helloworld's gravatar image


&& has a special meaning in your shell.

command1 && command2
command2 is executed if, and only if, command1 returns an exit status of zero.

So, the difference between your two commands is:

The command:

tshark -ni eth1 vlan and host

shows only VLAN tagged traffic to and from host

The command:

tshark -ni eth1 vlan && host

runs actually just this command (due the the special meaning of &&):

tshark -ni eth1 vlan

tshark will show any VLAN tagged traffic (without host filter). If that command exits with code 0, the shell would then run this command:


The result of the host command (if installed on your system) would be something like this:

Host not found: 3(NXDOMAIN)

BTW: If you want to use && in the capture filter, you'll have to "escape" it for the shell with single quotes.

tshark -ni eth1 'vlan && host'

This is identical to:

tshark -ni eth1 'vlan and host'
tshark -ni eth1 vlan and host


permanent link

answered 21 May '12, 07:35

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 21 May '12, 15:04

helloworld's gravatar image


(Presumably, no vlan traffic is going to or from, so a filter that tests for both will see no packets, but a filter testing only for VLAN frames will see packets. From the point of view of libpcap/WnPcap, which both tcpdump and Wireshark use for capture filters, and and && behave exactly the same.)

(21 May '12, 09:55) Guy Harris ♦♦

Kurt, thanks for your response. this makes perfect sense now. So although I was seeing traffic which contained vlan tags, the filter by host wasn't actually getting applied... gotcha!

Incidentally, I had a few more attempts on the filter for packets with multiple vlan tags and I think I got it working. This is what I ended up with -

tshark -i eth1 "vlan and (vlan and host"

Thanks again Gian

(23 May '12, 07:57) Gian Sartor


tshark -i eth1 "vlan and (vlan and host"

you don't need vlan twice. This should be equivalent to your command:

tshark -i eth1 "vlan and host"

(23 May '12, 08:13) Kurt Knochner ♦


tshark -i eth1 "vlan and (vlan and host"

Will look for an IP address after TWO vlan headers (ie Q-in-Q), which is different from what happens when using the vlan directive once. As Gian said: "I had a few more attempts on the filter for packets with multiple vlan tags" :-)

(yes, my first reaction was also: "Hey, you don't need two vlan directives"!)

(23 May '12, 08:19) SYN-bit ♦♦

packets with multiple vlan tags

Ah, good catch :-) Thanks for the hint...

(23 May '12, 08:31) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 21 May '12, 06:59

question was seen: 10,310 times

last updated: 12 Sep '16, 06:12

p​o​w​e​r​e​d by O​S​Q​A